Reading view

CVE-2026-3102: macOS ExifTool image-processing vulnerability | Kaspersky official blog

Can a computer be infected with malware simply by processing a photo — particularly if that computer is a Mac, which many still believe (wrongly) to be inherently resistant to malware? As it turns out, the answer is yes — if you’re using a vulnerable version of ExifTool or one of the many apps built based on it. ExifTool is a ubiquitous open-source solution for reading, writing, and editing image metadata. It’s the go-to tool for photographers and digital archivists, and is widely used in data analytics, digital forensics, and investigative journalism.

Our GReAT experts discovered a critical vulnerability — tracked as CVE-2026-3102 — which is triggered during the processing of malicious image files containing embedded shell commands within their metadata. When a vulnerable version of ExifTool on macOS processes such a file, the command is executed. This allows a threat actor to perform unauthorized actions in the system, such as downloading and executing a payload from a remote server. In this post, we break down how this exploit works, provide actionable defense recommendations, and explain how to verify if your system is vulnerable.

What is ExifTool?

ExifTool is a free, open-source application addressing a niche but critical requirement: it extracts metadata from files, and enables the processing of both that data and the files themselves. Metadata is the information embedded within most modern file formats that describes or supplements the main content of a file. For instance, in a music track, metadata includes the artist’s name, song title, genre, release year, album cover art, and so on. For photographs, metadata typically consists of the date and time of a shot, GPS coordinates, ISO and shutter speed settings, and the camera make and model. Even office documents store metadata, such as the author’s name, total editing time, and the original creation date.

ExifTool is the industry leader in terms of the sheer volume of supported file formats, as well as the depth, accuracy, and versatility of its processing capabilities. Common use cases include:

  • Adjusting dates if they’re incorrectly recorded in the source files
  • Moving metadata between different file formats (from JPG to PNG and so on)
  • Pulling preview thumbnails from professional RAW formats (such as 3FR, ARW, or CR3)
  • Retrieving data from niche formats, including FLIR thermal imagery, LYTRO light-field photos, and DICOM medical imaging
  • Renaming photo/video (etc.) files based on the time of actual shooting, and synchronizing the file creation time and date accordingly
  • Embedding GPS coordinates into a file by syncing it with a separately stored GPS track log, or adding the name of the nearest populated area

The list goes on and on. ExifTool is available both as a standalone command-line application and an open-source library, meaning its code often runs under the hood of powerful, multi-purpose tools; examples include photo organization systems like Exif Photoworker and MetaScope, or image processing automation tools like ImageIngester. In large digital libraries, publishing houses, and image analytics firms, ExifTool is frequently used in automated mode, triggered by internal enterprise applications and custom scripts.

How CVE-2026-3102 works

To exploit this vulnerability, an attacker must craft an image file in a certain way. While the image itself can be anything, the exploit lies in the metadata — specifically the DateTimeOriginal field (date and time of creation), which must be recorded in an invalid format. In addition to the date and time, this field must contain malicious shell commands. Due to the specific way ExifTool handles data on macOS, these commands will execute only if two conditions are met:

  • The application or library is running on macOS
  • The -n (or –printConv) flag is enabled. This mode outputs machine-readable data without additional processing, as is. For example, in -n mode, camera orientation data is output simply, inexplicably, as “six”, whereas with additional processing, it becomes the more human-readable “Rotated 90 CW”. This “human-readability” prevents the vulnerability from being exploited

A rare but by no means fantastical scenario for a targeted attack would look like this: a forensics laboratory, a media editorial office, or a large organization that processes legal or medical documentation receives a digital document of interest. This can be a sensational photo or a legal claim — the bait depends on the victim’s line of work. All files entering the company undergo sorting and cataloging via a digital asset management (DAM) system. In large companies, this may be automated; individuals and small firms run the required software manually. In either case, the ExifTool library must be used under the hood of this software. When processing the date of the malicious photo, the computer where the processing occurs is infected with a Trojan or an infostealer, which is subsequently capable of stealing all valuable data stored on the attacked device. Meanwhile, the victim could easily notice nothing at all, as the attack leverages the image metadata while the picture itself may be harmless, entirely appropriate, and useful.

How to protect against the ExifTool vulnerability

GReAT researchers reported the vulnerability to the author of ExifTool, who promptly released version 13.50, which is not susceptible to CVE-2026-3102. Versions 13.49 and earlier must be updated to remediate the flaw.

It’s critical to ensure that all photo processing workflows are using the updated version. You should verify that all asset management platforms, photo organization apps, and any bulk image processing scripts running on Macs are calling ExifTool version 13.50 or later, and don’t contain an embedded older copy of the ExifTool library.

Naturally, ExifTool — like any software — may contain additional vulnerabilities of this class. To harden your defenses, we also recommend the following:

  • Isolate the processing of untrusted files. Process images from questionable sources on a dedicated machine or within a virtual environment, strictly limiting its access to other computers, data storage, and network resources.
  • Continuously track vulnerabilities along the software supply chain. Organizations that rely on open-source components in their workflows can use Open Source Software Threats Data Feed for tracking.

Finally, if you work with freelancers or self-employed contractors (or simply allow BYOD), only allow them to access your network if they have a comprehensive macOS security solution installed.

Still think macOS is safe? Then read about these Mac threats:

  •  

Flashpoint Weekly Vulnerability Insights and Prioritization Report

Blogs

Blog

Flashpoint Weekly Vulnerability Insights and Prioritization Report

Week of December 20 – December 26, 2025

Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization.

SHARE THIS:
Default Author Image
December 31, 2025

Flashpoint’s VulnDB™ documents over 400,000 vulnerabilities and has over 6,000 entries in Flashpoint’s KEV database, making it a critical resource as vulnerability exploitation rises. However, if your organization is relying solely on CVE data, you may be missing critical vulnerability metadata and insights that hinder timely remediation. That’s why we created this weekly series—where we surface and analyze the most high priority vulnerabilities security teams need to know about.

Key Vulnerabilities:
Week of December 20 – December 26, 2025

Foundational Prioritization

Of the vulnerabilities Flashpoint published this week, there are 34 that you can take immediate action on. They each have a solution, a public exploit exists, and are remotely exploitable. As such, these vulnerabilities are a great place to begin your prioritization efforts.

Diving Deeper – Urgent Vulnerabilities

Of the vulnerabilities Flashpoint published last week, four are highlighted in this week’s Vulnerability Insights and Prioritization Report because they contain one or more of the following criteria:

  • Are in widely used products and are potentially enterprise-affecting
  • Are exploited in the wild or have exploits available
  • Allow full system compromise
  • Can be exploited via the network alone or in combination with other vulnerabilities
  • Have a solution to take action on

In addition, all of these vulnerabilities are easily discoverable and therefore should be investigated and fixed immediately.

To proactively address these vulnerabilities and ensure comprehensive coverage beyond publicly available sources on an ongoing basis, organizations can leverage Flashpoint Vulnerability Intelligence. Flashpoint provides comprehensive coverage encompassing IT, OT, IoT, CoTs, and open-source libraries and dependencies. It catalogs over 100,000 vulnerabilities that are not included in the NVD or lack a CVE ID, ensuring thorough coverage beyond publicly available sources. The vulnerabilities that are not covered by the NVD do not yet have CVE ID assigned and will be noted with a VulnDB ID.

CVE IDTitleCVSS Scores (v2, v3, v4)Exploit StatusExploit ConsequenceRansomware Likelihood ScoreSocial Risk ScoreSolution Availability
CVE-2025-33222NVIDIA Isaac Launchable Unspecified Hardcoded Credentials5.0
9.8
9.3
PrivateCredential DisclosureHighLowYes
CVE-2025-33223NVIDIA Isaac Launchable Unspecified Improper Execution Privileges Remote Code Execution10.0
9.8
9.3
PrivateRemote Code ExecutionHighLowYes
CVE-2025-68613n8n Package for Node.js packages/workflow/src/expression-evaluator-proxy.ts Workflow Expression Evaluation Remote Code Execution9.0
9.9
9.4
PublicRemote Code ExecutionHighHighYes
CVE-2025-14847MongoDB transport/message_compressor_zlib.cpp ZlibMessageCompressor::decompressData() Function Zlib Compressed Protocol Header Handling Remote Uninitialized Memory Disclosure (Mongobleed)10.0
9.8
9.3
PublicUninitialized Memory DisclosureHighHighYes
Scores as of: December 30, 2025

NOTES: The severity of a given vulnerability score can change whenever new information becomes available. Flashpoint maintains its vulnerability database with the most recent and relevant information available. Login to view more vulnerability metadata and for the most up-to-date information.

CVSS scores: Our analysts calculate, and if needed, adjust NVD’s original CVSS scores based on new information being available.

Social Risk Score: Flashpoint estimates how much attention a vulnerability receives on social media. Increased mentions and discussions elevate the Social Risk Score, indicating a higher likelihood of exploitation. The score considers factors like post volume and authors, and decreases as the vulnerability’s relevance diminishes.

Ransomware Likelihood: This score is a rating that estimates the similarity between a vulnerability and those known to be used in ransomware attacks. As we learn more information about a vulnerability (e.g. exploitation method, technology affected) and uncover additional vulnerabilities used in ransomware attacks, this rating can change.

Flashpoint Ignite lays all of these components out. Below is an example of what this vulnerability record for CVE-2025-33223 looks like.



This record provides additional metadata like affected product versions, MITRE ATT&CK mapping, analyst notes, solution description, classifications, vulnerability timeline and exposure metrics, exploit references and more.

Analyst Comments on the Notable Vulnerabilities

Below, Flashpoint analysts describe the five vulnerabilities highlighted above as vulnerabilities that should be of focus for remediation if your organization is exposed.

CVE-2025-33222

NVIDIA Isaac Launchable contains a flaw that is triggered by the use of unspecified hardcoded credentials. This may allow a remote attacker to trivially gain privileged access to the program.

CVE-2025-33223

NVIDIA Isaac Launchable contains an unspecified flaw that is triggered as certain activities are executed with unnecessary privileges. This may allow a remote attacker to potentially execute arbitrary code.

CVE-2025-68613

n8n Package for Node.js contains a flaw in packages/workflow/src/expression-evaluator-proxy.ts that is triggered as workflow expressions are evaluated in an improperly isolated execution context. This may allow an authenticated, remote attacker to execute arbitrary code with the privileges of the n8n process.

CVE-2025-14847

MongoDB contains a flaw in the ZlibMessageCompressor::decompressData() function in mongo/transport/message_compressor_zlib.cpp that is triggered when handling mismatched length fields in Zlib compressed protocol headers. This may allow a remote attacker to disclose uninitialized memory contents on the heap.

Previously Highlighted Vulnerabilities

CVE/VulnDB IDFlashpoint Published Date
CVE-2025-21218Week of January 15, 2025
CVE-2024-57811Week of January 15, 2025
CVE-2024-55591Week of January 15, 2025
CVE-2025-23006Week of January 22, 2025
CVE-2025-20156Week of January 22, 2025
CVE-2024-50664Week of January 22, 2025
CVE-2025-24085Week of January 29, 2025
CVE-2024-40890Week of January 29, 2025
CVE-2024-40891Week of January 29, 2025
VulnDB ID: 389414Week of January 29, 2025
CVE-2025-25181Week of February 5, 2025
CVE-2024-40890Week of February 5, 2025
CVE-2024-40891Week of February 5, 2025
CVE-2024-8266Week of February 12, 2025
CVE-2025-0108Week of February 12, 2025
CVE-2025-24472Week of February 12, 2025
CVE-2025-21355Week of February 24, 2025
CVE-2025-26613Week of February 24, 2025
CVE-2024-13789Week of February 24, 2025
CVE-2025-1539Week of February 24, 2025
CVE-2025-27364Week of March 3, 2025
CVE-2025-27140Week of March 3, 2025
CVE-2025-27135Week of March 3, 2025
CVE-2024-8420Week of March 3, 2025
CVE-2024-56196Week of March 10, 2025
CVE-2025-27554Week of March 10, 2025
CVE-2025-22224Week of March 10, 2025
CVE-2025-1393Week of March 10, 2025
CVE-2025-24201Week of March 17, 2025
CVE-2025-27363Week of March 17, 2025
CVE-2025-2000Week of March 17, 2025
CVE-2025-27636
CVE-2025-29891
Week of March 17, 2025
CVE-2025-1496
Week of March 24, 2025
CVE-2025-27781Week of March 24, 2025
CVE-2025-29913Week of March 24, 2025
CVE-2025-2746Week of March 24, 2025
CVE-2025-29927Week of March 24, 2025
CVE-2025-1974 CVE-2025-2787Week of March 31, 2025
CVE-2025-30259Week of March 31, 2025
CVE-2025-2783Week of March 31, 2025
CVE-2025-30216Week of March 31, 2025
CVE-2025-22457Week of April 2, 2025
CVE-2025-2071Week of April 2, 2025
CVE-2025-30356Week of April 2, 2025
CVE-2025-3015Week of April 2, 2025
CVE-2025-31129Week of April 2, 2025
CVE-2025-3248Week of April 7, 2025
CVE-2025-27797Week of April 7, 2025
CVE-2025-27690Week of April 7, 2025
CVE-2025-32375Week of April 7, 2025
VulnDB ID: 398725Week of April 7, 2025
CVE-2025-32433Week of April 12, 2025
CVE-2025-1980Week of April 12, 2025
CVE-2025-32068Week of April 12, 2025
CVE-2025-31201Week of April 12, 2025
CVE-2025-3495Week of April 12, 2025
CVE-2025-31324Week of April 17, 2025
CVE-2025-42599Week of April 17, 2025
CVE-2025-32445Week of April 17, 2025
VulnDB ID: 400516Week of April 17, 2025
CVE-2025-22372Week of April 17, 2025
CVE-2025-32432Week of April 29, 2025
CVE-2025-24522Week of April 29, 2025
CVE-2025-46348Week of April 29, 2025
CVE-2025-43858Week of April 29, 2025
CVE-2025-32444Week of April 29, 2025
CVE-2025-20188Week of May 3, 2025
CVE-2025-29972Week of May 3, 2025
CVE-2025-32819Week of May 3, 2025
CVE-2025-27007Week of May 3, 2025
VulnDB ID: 402907Week of May 3, 2025
VulnDB ID: 405228Week of May 17, 2025
CVE-2025-47277Week of May 17, 2025
CVE-2025-34027Week of May 17, 2025
CVE-2025-47646Week of May 17, 2025
VulnDB ID: 405269Week of May 17, 2025
VulnDB ID: 406046Week of May 19, 2025
CVE-2025-48926Week of May 19, 2025
CVE-2025-47282Week of May 19, 2025
CVE-2025-48054Week of May 19, 2025
CVE-2025-41651Week of May 19, 2025
CVE-2025-20289Week of June 3, 2025
CVE-2025-5597Week of June 3, 2025
CVE-2025-20674Week of June 3, 2025
CVE-2025-5622Week of June 3, 2025
CVE-2025-5419Week of June 3, 2025
CVE-2025-33053Week of June 7, 2025
CVE-2025-5353Week of June 7, 2025
CVE-2025-22455Week of June 7, 2025
CVE-2025-43200Week of June 7, 2025
CVE-2025-27819Week of June 7, 2025
CVE-2025-49132Week of June 13, 2025
CVE-2025-49136Week of June 13, 2025
CVE-2025-50201Week of June 13, 2025
CVE-2025-49125Week of June 13, 2025
CVE-2025-24288Week of June 13, 2025
CVE-2025-6543Week of June 21, 2025
CVE-2025-3699Week of June 21, 2025
CVE-2025-34046Week of June 21, 2025
CVE-2025-34036Week of June 21, 2025
CVE-2025-34044Week of June 21, 2025
CVE-2025-7503Week of July 12, 2025
CVE-2025-6558Week of July 12, 2025
VulnDB ID: 411705Week of July 12, 2025
VulnDB ID: 411704Week of July 12, 2025
CVE-2025-6222Week of July 12, 2025
CVE-2025-54309Week of July 18, 2025
CVE-2025-53771Week of July 18, 2025
CVE-2025-53770Week of July 18, 2025
CVE-2025-54122Week of July 18, 2025
CVE-2025-52166Week of July 18, 2025
CVE-2025-53942Week of July 25, 2025
CVE-2025-46811Week of July 25, 2025
CVE-2025-52452Week of July 25, 2025
CVE-2025-41680Week of July 25, 2025
CVE-2025-34143Week of July 25, 2025
CVE-2025-50454Week of August 1, 2025
CVE-2025-8875Week of August 1, 2025
CVE-2025-8876Week of August 1, 2025
CVE-2025-55150Week of August 1, 2025
CVE-2025-25256Week of August 1, 2025
CVE-2025-43300Week of August 16, 2025
CVE-2025-34153Week of August 16, 2025
CVE-2025-48148Week of August 16, 2025
VulnDB ID: 416058Week of August 16, 2025
CVE-2025-32992Week of August 16, 2025
CVE-2025-7775Week of August 24, 2025
CVE-2025-8424Week of August 24, 2025
CVE-2025-34159Week of August 24, 2025
CVE-2025-57819Week of August 24, 2025
CVE-2025-7426Week of August 24, 2025
CVE-2025-58367Week of September 1, 2025
CVE-2025-58159Week of September 1, 2025
CVE-2025-58048Week of September 1, 2025
CVE-2025-39247Week of September 1, 2025
CVE-2025-8857Week of September 1, 2025
CVE-2025-58321Week of September 8, 2025
CVE-2025-58366Week of September 8, 2025
CVE-2025-58371Week of September 8, 2025
CVE-2025-55728Week of September 8, 2025
CVE-2025-55190Week of September 8, 2025
VulnDB ID: 419253Week of September 13, 2025
CVE-2025-10035Week of September 13, 2025
CVE-2025-59346Week of September 13, 2025
CVE-2025-55727Week of September 13, 2025
CVE-2025-10159Week of September 13, 2025
CVE-2025-20363Week of September 20, 2025
CVE-2025-20333Week of September 20, 2025
CVE-2022-4980Week of September 20, 2025
VulnDB ID: 420451Week of September 20, 2025
CVE-2025-9900Week of September 20, 2025
CVE-2025-52906Week of September 27, 2025
CVE-2025-51495Week of September 27, 2025
CVE-2025-27224Week of September 27, 2025
CVE-2025-27223Week of September 27, 2025
CVE-2025-54875Week of September 27, 2025
CVE-2025-41244Week of September 27, 2025
CVE-2025-61928Week of October 6, 2025
CVE-2025-61882Week of October 6, 2025
CVE-2025-49844Week of October 6 2025
CVE-2025-57870Week of October 6, 2025
CVE-2025-34224Week of October 6, 2025
CVE-2025-34222Week of October 6, 2025
CVE-2025-40765Week of October 11, 2025
CVE-2025-59230Week of October 11, 2025
CVE-2025-24990Week of October 11, 2025
CVE-2025-61884Week of October 11, 2025
CVE-2025-41430Week of October 11, 2025
VulnDB ID: 424051Week of October 18, 2025
CVE-2025-62645Week of October 18, 2025
CVE-2025-61932Week of October 18, 2025
CVE-2025-59503Week of October 18, 2025
CVE-2025-43995Week of October 18, 2025
CVE-2025-62168Week of October 18, 2025
VulnDB ID: 425182Week of October 25, 2025
CVE-2025-62713Week of October 25, 2025
CVE-2025-54964Week of October 25, 2025
CVE-2024-58274Week of October 25, 2025
CVE-2025-41723Week of October 25, 2025
CVE-2025-20354Week of November 1, 2025
CVE-2025-11953Week of November 1, 2025
CVE-2025-60854Week of November 1, 2025
CVE-2025-64095Week of November 1, 2025
CVE-2025-11833Week of November 1, 2025
CVE-2025-64446Week of November 8, 2025
CVE-2025-36250Week of November 8, 2025
CVE-2025-64400Week of November 8, 2025
CVE-2025-12686Week of November 8, 2025
CVE-2025-59118Week of November 8, 2025
VulnDB ID: 426231Week of November 8, 2025
VulnDB ID: 427979Week of November 22, 2025
CVE-2025-55796Week of November 22, 2025
CVE-2025-64428Week of November 22, 2025
CVE-2025-62703Week of November 22, 2025
VulnDB ID: 428193Week of November 22, 2025
CVE-2025-65018Week of November 22, 2025
CVE-2025-54347Week of November 22, 2025
CVE-2025-55182Week of November 29, 2025
CVE-2024-14007Week of November 29, 2025
CVE-2025-66399Week of November 29, 2025
CVE-2022-35420Week of November 29, 2025
CVE-2025-66516Week of November 29, 2025
CVE-2025-59366Week of November 29, 2025
CVE-2025-14174Week of December 6, 2026
CVE-2025-43529Week of December 6, 2026
CVE-2025-8110Week of December 6, 2026
CVE-2025-59719Week of December 6, 2026
CVE-2025-59718Week of December 6, 2026
CVE-2025-14087Week of December 6, 2026
CVE-2025-62221Week of December 6, 2026

Transform Vulnerability Management with Flashpoint

Request a demo today to see how Flashpoint can transform your vulnerability intelligencevulnerability management, and exposure identification program.

Request a demo today.

  •  

Finding Access Control Vulnerabilities with Autorize

In the most recent revision of the OWASP Top 10, Broken Access Controls leapt from fifth to first.1 OWASP describes an access control as something that “enforces policy such that […]

The post Finding Access Control Vulnerabilities with Autorize appeared first on Black Hills Information Security, Inc..

  •  

Exploit Development – A Sincere Form of Flattery

moth // Recently, BHIS penetration tester Dale Hobbs was on an Internal Network Penetration Test and came across an RPC-based arbitrary command execution vulnerability in his vulnerability scan results.  I […]

The post Exploit Development – A Sincere Form of Flattery appeared first on Black Hills Information Security, Inc..

  •  
❌